Ohio Senate Bill 220 Creates Cybersecurity Safe Harbor

Intellectual Property

October 22, 2018

Ohio recently enacted legislation providing a “safe harbor” in the form of an affirmative defense against causes of action in tort that allege that an entity failed to implement reasonable information security controls, resulting in a data breach concerning personal information or restricted information (the unauthorized disclosure of which is likely to result in a material risk of identity theft or other fraud).

The new provisions of the Ohio Revised Code, which take effect on November 2, 2018, essentially define “reasonable security measures” based on industry standards and timeframes within which these security measures are to be implemented or revised as such standards evolve,
in order to qualify for the safe harbor protections.

The industry cybersecurity frameworks which are considered reasonable security measures include, generally, those prescribed in several National Institute of Standards publications and other federal and international frameworks, as well as industry-specific standards (including HIPAA, HITECH, GLB and PCI).

The scale and scope of the requisite cybersecurity framework is based on factors which include: the size and complexity of an entity; the nature and scope of the entity’s activities, the sensitivity of the information to be protected, the cost and availability of the tools to improve information security and reduce vulnerabilities, and the
resources available to the covered entity. Entities which are eligible for safe harbor protections are defined broadly to include those that access, maintain, communicate or process personal information or restricted information using systems, networks, or services located in or outside of Ohio.

In addition to the safe harbor provisions, the new legislation also expressly provides that records or contracts secured using blockchain technology are “electronic records” and that signatures secured using blockchain technology are “electronic signatures” under Ohio law.

The foregoing additions to Ohio law may help many businesses to shield themselves from liability for cybersecurity breach incidents. To better understand how this may benefit your business, please contact us